Analysis of a Fair Exchange Protocol

1
Analysis of a Fair Exchange Protocol

• Vitaly Shmatikov John Mitchell
• Stanford University

2
Agreement in Hostile Environment

• Cannot trust the communication channel
• Cannot trust the other party in the protocol
• Trusted third party may exist
• Last resort use only if something goes wrong

3
Contract Signing
Immunity deal

• Both parties want to sign the contract
• Neither wants to commit first

4
Fairness
If A cannot obtain a contract, then B should not
be able to obtain a contract, either
(and vice versa)
Example (Alice buys a house from Bob)
If Alice cannot obtain a deed for the
property, Bob should not be able to
collect Alices money
5
Accountability
If trusted party T misbehaves, then honest party
should be able to prove Ts misbehavior
Example (Alice buys a house from Bob)
If escrow service gives Bob Alices money
without giving Alice the deed,
Alice should be able to prove to a
judge that escrow service is cheating
6
Formal Protocol Analysis
Informal Protocol Description
Intruder Model
Formal Protocol
Analysis Tool
Gee whiz. Looks OK to me.
7
Murj Dill et al.

• Describe finite-state system
• State variables with initial values
• Transition rules
• Communication by shared variables
• Scalable choose system size parameters
• Specify correctness condition
• Automatic exhaustive state enumeration
• Hash table to avoid repeating states
• Success with research, industrial protocol
  verification

8
Optimistic Contract Signing
Asokan, Shoup, Waidner
A
B
m1, RA, m2, RB
9
Several Forms of Contract

• Contract from normal execution
• Contract issued by third party
• Abort token issued by third party

m1, RA, m2, RB
sigT (m1, m2)
sigT (abort, a1)
10
Role of Trusted Third Party

• T can issue an abort token
• Promise not to resolve the protocol in the future
• T can issue a replacement contract
• Proof that both parties are committed
• T decides whether to abort or resolve on the
  first-come-first-serve basis
• T only gets involved if requested by A or B

11
Abort Subprotocol
A
B
Network
12
Resolve Subprotocol
B
Net
A
13
Race Condition
A
m1 sigA (PKA, PKB, T, text, hash(RB))
B
m2 sigB (m1, hash(RB))
a1 sigA (abort, m1)
r1 m1, m2
T
14
Attack
A
secret QB, m2
contracts are inconsistent!
15
Replay Attack
sigA ( hash(RA))
Intruder causes B to commit to old contract with
A
B
A
sigB (... hash(RB))
RA
RB
16
Repairing the Protocol
m1 sigA (PKA, PKB, T, text, hash(RA))
m2 sigB (m1, hash(RB))
A
B
sigA ( , hash(RB))
m3 RA
m4 RB
m1, RA, m2, RB
17
Another Property Abuse-Freeness
No party should be able to prove that it can
solely determine the outcome of the protocol
Example (Alice buys a house from Bob)
Bob should not be able to show Alices offer
to Cynthia so that he can convince
Cynthia to pay more
18
Conclusions

• Fair exchange protocols are subtle
• Correctness conditions are hard to formalize
• Unusual constraints on communication channels
• Several interdependent subprotocols
• Many cases and interleavings
• Finite-state tools are useful for case analysis